Steve Langasek <vorlon@debian.org> writes:
> On Fri, Nov 25, 2005 at 02:57:36PM +0100, Goswin von Brederlow wrote:
>> Steve Langasek <vorlon@debian.org> writes:
>
>> > On Thu, Nov 24, 2005 at 07:17:06PM +0100, Goswin von Brederlow wrote:
>
>> >> > That's easy: you trust the Packages file to be correct when using apt,
>> >> > and it's not verified at all by per-package signatures.
>
>> >> In what way trust and how does that change anything?
>
>> >> At best you can prevent a newer version of a package to appear in the
>> >> Packages file by compromising it. You can't subvert a package itself.
>> >> But you can already ship yesterdays Release.gpg, Release and Packages
>> >> file to a user and thereby prevent any updates.
>
>> >> On the other hand, without package signatures ftp-master adds a
>> >> vulnerability. You can hack into it, replace debs, recreate the
>> >> Packages, Release and Release.gpg file and thereby infect users. With
>> >> signed debs that could still be detected by every user in apt-get.
>
>> > Only if every user is in a position to verify signatures from each Debian
>> > developer individually, which is completely unrealistic.
>
>> Up to a point you can trust the keyring. As much as you can trust any
>> DD signature. You try to argue that signatures are not absolutely
>> trustworthy but that is nothing new.
>
> I'm arguing that a 5-hop-long signature chain to establish the validity of a
> Debian package is as good as useless, and worse if the user doesn't
> understand this.
>
> And a 5-hop-long signature chain does *not* mean that anyone in that chain
> trusts the person holding the key on the end to upload packages to Debian.
They aren't ment to. The in-deb signature by the DD is only ment to
say "I did build this".
> The only thing we have that establishes *that* is the presence of the user's
> key in the Debian keyring, so then you have the logistical problem of how
> arbitrary users are supposed to verify whether a given key is in the
They aren't supposed to. They just should have the possibility.
> keyring. The debian-keyring package doesn't get updated every time there's
> a key added or removed, and the web interface to keyring.debian.org doesn't
> provide any cryptographic assurances. Oh, and BTW, check the IPs of
> ftp-master.debian.org and keyring.debian.org...
The amount of package that fall through the cracks due to the keyring
not being fully updates is marginal. You can also ask keyservers for
keys and verify them through your trust path. That is enough to
establish who build the deb (not to be confused with for whom did he
build it).
MfG
Goswin